I’m working on a small project, it started as simple showcase using only Django, but soon enough I needed more interaction and started a simple front-end in Ember. So now I have to projects, front-end and backend. Django actually morphed to be only an API endpoint, keeping my data on a database and handling a few other things.

So I need to deploy this, on a really basic server, no fancy clouds and CDN stuff. First thought was to deploy to two different servers, but using the same instance of nginx. But them I would have to handle CORS issues, and what not.

That was kind of bothering me… then I found Luke Melia talk on Lightning Fast Deployment of Your Rails-backed JavaScript app. And it just clicked, problem solved. Applying his ideas to Django where really straightforward. I just needed a view, a simple model for storing the current index, and a static folder to store all this. Nginx will server all static files and Django just need to serve the index.html, enabling me to use its templating system.

Django deployment stayed pretty much the same, minus a few extra libraries that weren’t needed anymore and a few paths that changed. I’ve added a few management commands to handle adding, listing and setting the current index page, really basic stuff.

Ember

The easiest part around, just build and upload to the server.

ember build --environment=production

Copy the contents to your server static root after ember build finishes. I’ve automated that using flightplan, it works like Fabric, but it’s all javascript. One issue of flightplan is that it doesn’t ask for passwords while doing ssh or sudo – not really a bad thing, just extra configuration needed. My flightplan config is something like this:

Nginx Configuration

Nginx gave me a few headaches, because I was also using the PushStream module, but in the end I finally found a good enough solution for running both Django and statically serving Ember files. My config is the following, which is pretty much basic:

After all this was in place, refreshing the page was giving me a 404 – Django was trying to find a view for the current url, but it only existed in Ember. To fix that I’ve added to my urls.py the following:

After watching this awesome talk on SELinux, I realized that I should give SELinux another try.

Disclaimer: This is a learning exercise to me, not a guide on how to secure FreePBX

Most Linux How-To guides just say you should disable SELinux, for whatever particular reason they have. But you shouldn’t be disabling it just because you don’t understand what it’s doing and why it’s blocking your commands. So I’ll try to install FreePBX, a software for managing an Asterisk server, following the instructions from here, skipping the step of disabling SELinux. Doing that will show you that SELinux is blocking most of the actions from the web interface, and things are not working as it was supposed to.

So let’s change the enforcing policy to ‘Permissive‘, using the command setenforce. This allows everything to work, but it also logs everything that would be blocked by SELinux on /var/log/audit/audit.log. If you play around FreePBX for a while, you will see lots of entries on that log file, such as:

Every action that would be denied is listed here, how can we use this to allow SELinux to enforce its policies and FreePBX actually works? Another tool can help us: audit2allow. It scans the audit log and figures out what is the best policy to allow those actions to pass SELinux.

First try, I’ll filter only asterisk related logs and pipe it to audit2allow.

But this command only shows what the modules ‘asterisklocal‘ will do, we must run the command with ‘-M‘ to generate the loadable policy file. This post, from Dan Walsh, explains how this work. After generating we need to load it, using semanage -i asterisklocal. Now we can set the SELinux back to enforcing mode and FreePBX should still be working.

That should cover the basics for running FreePBX using SELinux, but this is not supposed to be a complete guide on how to secure FreePBX

Reviewing the policies needed to run FreePBX makes me thing of all the possible exploits and problems that FreePBX hides inside itself. From a security point of view, FreePBX does not use the safest architecture around, it could definitely be improved – maybe splinting in a frontend / backend design. I think it’s safe to say that one should not run other sensitive services on the same server as FreePBX, specially if you disabled SELinux.

Just a small gathering of information on how I’ve setup a tunnel between a Centos 6.3, with openswan and NETKEY ipsec stack, and a Juniper SSG. Before we start configuring, lets define IP’s nets and address (by the way, those are not the real IP’s). We are link two networks with this tunnel, not a network-to-client configuration.

On the Centos side we have:

Name: Office City A

External Ip: 200.201.202.203

Internal Network: 10.20.20.0/24

Internal Gateway Ip: 10.20.20.254

On the Juniper SSG we have:

Name: Office City B

External Ip: 100.101.102.103

Internal Network: 10.20.10.0/24

Internal Gateway Ip: 10.20.10.254

Pre-shared Key: my-long-and-secret-key

Centos Side

First we need to install and configure the centos box. That should be fairly simple, start by installing openswan:

yum install openswan

Now we have to edit /etc/ipsec.conf. The default config should be fine for us, but we have to make sure that the line which includes the configs “.conf” stored under /etc/ipsec.d/ is uncommented. Your config file should look something like this:

Finish configuring the Juniper, and then check the output of ipsec auto --status, it should read something like “IPsec SA established” and “ISAKMP SA established”. Verify your routes and test the tunnel.

Juniper SSG

We can configure the junipers using either the WebUI or the CLI, so I’ll describe first how to configure using the WebUi, and latter I’ll show the CLI config lines. I’m doing a Route Based VPN config as it adds more flexibility to my setup, you can use a Policy Based VPN if you wish, but I’m not covering that here (see a sample config here).

Some extra info we need to know on the Juniper side, is that I have a VPN Zone bound to trust-vr. I recommend that you create a zone for your VPN’s tunnels, as it makes easier to add trafic policies to it later.

Tunnel Interface

Go to Network -> Interface, select “Tunnel IF” and click the New button. Select a not used tunnel number, mine is 1. Also, make sure you select the Zone (VR) as “vpn” and that it’s an unnumbered interface. Click Ok. That’s it for the Tunnel Interface.

VPN AutoKey Gateway

Now we need to setup the VPN Gateway, for that go to VPN -> AutoKey Advanced -> Gateway. Click on the New button. Name the gateway as “gw_to_office_a”. Make sure “Static IP Address” is selected, and fill in the IPv4/v6 Address/Hostname field. The remote IP address is 200.201.202.203.

Click on Advanced button. On that page, enter the Pre-shared Key “my-long-and-secret-key”. Select the correct outgoing interface, mine is “Ethernet0/0”.

On the Security Level field, select “pre-g2-3des-md5“. It’s really important that you get this right!

Make sure the Mode (Initiator) is set to Main. That’s it, just click Ok to save the gateway configuration.

VPN AutoKey IKE

Time to setup the AutoKey IKE VPN, so go to VPN -> AutoKey IKE. Click on New button. I’ll name this vpn as “vpn_to_office_a”. Make sure you selected “gw_to_office_a” as the predefined gateway. Click on Advanced.

On the advanced configuration page, set the security level as “g2-esp-3des-md5“. That’s really import, otherwise the tunnel will not work.

Proxy-ID

We need to setup the Proxy-ID for the tunnel, go to the AutoKey IKE listing, click on Proxy ID for the “vpn_to_office_a” tunnel. Add the following:

Local: 10.20.10.0/24Remote: 10.20.20.0/24Service: ANY

Click on New, and that’s it.

Route

We need to set a static route to Centos network, as it’s not running a dynamic routing daemon (such as RIP, OSPF, BGP, …). Go to Network -> Routing -> Destination. Select “trust-vr” and click New.

The route we want to add is 10.20.20.0/24, using as gateway the interface “tunnel.1” with the address 200.201.202.203. Make the route permanent, set the preference to 20, and add a description “office A network”.

Click Ok to save it.

Policy

As I’m connecting two Trusted networks, I’ll allow any trafic incoming from VPN to Trusted and from Trusted to VPN. You can, and should, set tighter policies as you see fit.

CLI

You can configure the VPN using the CLI, use the following commands, adapt as need.

A friend of mine sent me this post from Phillip Burgess on why Arduino foster innovation on the long run. And he is absolutely right, Arduino does provide the basic environment for learning electronics and basic concepts on computer science and programming.

But I think we could do better. Arduino lack of proper debugging interfaces is a real problem. But it is easily fixable, just create and kickstart an open Arduino Debugger, using the debugWire or the default JTAG interface.

What is my main issue is the lack of in-depth tutorials and manuals, for the ones that need to go the extra mile – learn and explore the full capabilities of the platform. The VIC-20 and the PET computers (or toys) had really great manuals, including the whole schematic and full programming documentation. We don’t have that for Arduino, we have lots of scattered tutorials most on the same subject, without adding much to it.

The basic example, of one of this tutorials, is the “hardware” hello world: blinking a LED. We, electrical engineers, computer scientists, physicists, chemists, take for granted what a LED is, what a CPU does, what an algorithm is, etc. So we just write the really basic steps for doing this hello world. That’s more than enough for us, but it’s just the tip of the iceberg for a beginner and sometimes even for someone with a technology background.

Why can’t a tutorial begin explaining some basic physics of how a LED works, why a through hole led has different length legs, and how an embedded cpu has digital and analog inputs and outputs. LED is just ubiquitous nowadays, but no one really knows how it works (ok, you physicists should know it pretty well). Couldn’t we, as a collective work, write better tutorials? Have a physicist write a basic outline of a PN junction and how it can emit light. Then ask an electrical engineer to write basic concepts of an output port and a computer scientist could write on how a CPU is just a “dumb” serial worker and how software is translated to that “dumb” worker.

I bet that we would have better engineers, fewer frustrated engineers working on software and not on hardware, and happier computer scientist willing to go to the really low-level of the CPU. Just because they now know all the effort that have gone in the develop of that “toy”.

For the last couple of weeks I’ve had several ideas of products that I would like do create as an Open Hardware project. Some of them might be just crazy grandeur – of doing something somewhat impossible – and would have prohibitive costs for something open sourced. Just to be sure, I don’t want to build an open source lunar module (although that would be wicked). Others are doable with a small funding and reusing other open hardware projects.

Letting the impossible projects aside, for now, I would really like to create these with the help of anyone willing to share knowledge and learn something new in the process. So here is the list (with no proper order):

OpenBrewery

There are several DIY beer in the internet, lots of kits – some really basic, others really advanced. Some brewers share the way they brew, but none is really Open Source, or a full project. The idea is to have a small brewery able to brew 40 liters of beer, or less. The system should control all the pumps, heaters, connections needed.

Agriculture/Garden Sensors Network

An active soil monitor with high quality measurements, able to send periodic data on temperature, moisture, pH, etc. Battery powered, with a solar charger, battery should last for at last 10 days. The collected data could be feed to an automatic irrigation system, or just enable better crops.

Telecine System

Since I’ve discovered some really old 8mm films that my grandpa made in the 1960’s, my interest on the subject grew. Converting an old film to a digital media is really expensive, but the mechanics and electronics needed are somewhat simple, and have been in use for ages. The mechanics are known to work since circa 1880, the electronics (CCD’s) have been in use since 1971.

Oscilloscope

There are several high-speed data acquisition systems being developed by CERN. Reuse one of these designs, add a FPGA, a USB 3.0 port, and you have a really basic oscilloscope. Want more channels? Add a backplane for connecting up to 4 acquisition cards and stream all the data to the USB port. Connect the device to a PC, tablet, etc and you have a really good scope. The cost of this system would be probably be bound by the cost of the ADC, which is quite expensive (especially in small quantities).

Portable Ultrasound

A friend of mine, who is a doctor, always talk about the benefits of using ultrasound to early diagnostics. But ultrasound devices for diagnostic are just too expensive to be used by a broader range of physicians, like those on remote areas, accidents, etc. Ultrasound has been in development since circa 1950, which means that the basic electronic needed is simple. The data processing algorithms are way more complicated than the electronics. My idea is to focus on the electronics to have a basic working device, just acquiring all the information needed to feed the proper imaging algorithms. Main challenge is having a fast (2MHz ~ 18Mhz) switch with high voltage (~90V).